Twitter email account hack highlights cloud dangers

As reported by Infosecurity at the time, the hack by person(s) unknown resulted in Twitter growth prediction files being emailed to a US IT news portal, apparently downloaded from the Google cloud-based document filing and storage service.

The password to the GoogleApps account was reportedly obtained by answering a set of security questions on the Twitter exec's online email account, and so 'retrieving' a new password.

According to Amichai Shulman, Imperva's CTO, the methodology of the unknown hacker shows that the security for retrieving account passwords in the cloud needs to be just as good as when identifying yourself to a bank over the phone.

People using cloud-based services, he explained, are happy to respond to 'secret questions' such as "your childhood hero", "your pet's name" and "your mother's maiden name."

Whilst these answers, he said, are likely to be unique and relatively difficult to guess on a purely random basis, they can often be second guessed by careful observation of a person's social networking site records, which then paint a very good picture of someone's likes and dislikes.

"Because of these security shortcomings - which legal professionals may yet argue about in court if Twitter does decide to sue those concerned for publishing the data - the big question is who is to blame for this highly public account hack," he said.

"Is it the fault of the email service provider or Twitter, or the senior manager concerned?"

"Or is it, as we surmise, a combination of circumstances and security failures that have conspired to create the situation?"

The reality of the Twitter email account hack, said Shulman, is that the hacker exploited a complex set of security shortcomings to reach his goal of gaining unauthorised access to the documents in question.

"Companies should take note of this risk and plan their security safeguards accordingly. Today, most companies haven't properly considered the implications of employees using social networking and the information," he said.

What’s Hot on Infosecurity Magazine?